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Abstract 

We prove that every key exchange protocol in the random oracle model in which the honest users make 
at most n queries to the oracle can be broken by an adversary making 0{n^) queries to the oracle. This 
improves on the previous f2(n^) query attack given by Impagliazzo and Rudich (STOC '89). Our bound is 
optimal up to a constant factor since Merkle (CACM '78) gave an n query key exchange protocol in this 
model that cannot be broken by an adversary making o(n^) queries. 

^ , 1 Introduction 

'. 

O . In the 1970's Diffie, Hellman, and Merkle began to challenge the accepted wisdom that two parties cannot 
communicate confidentially over an open channel without first exchanging a secret key using some secure 
means. The first such protocol (at least in the open scientific community) was designed by Merkle in 1974 
(although only published in 1978 [mer]). Merkle's protocol allows two parties Alice and Bob to agree on a 
\^ ', random number k that will not be known to an eavesdropping adversary Eve. It is described in Figure 1. 

■ One problem with Merkle's protocol is that its security was only analyzed in the random oracle model 
which does not necessarily capture security when instantiated with a cryptographic one-way or hash function 
[cgh].^ But the most serious issue with Merkle's protocol is that it only provides a quadratic gap between 

5o ', the running time of the honest parties and the adversary. Fortunately, not too long after Merkle, Diffie and 

■ Hellman [dh] and later Rivest, Shamir, and Adleman [rsa] gave constructions for key exchange protocols 
J> . that are conjectured to have super-polynomial (even subexponential) security. But because these and later 

^ ' protocols are based on certain algebraic computational problems, and so could perhaps be vulnerable to 
;h ■ unforseen attacks using this algebraic structure, it remained an important question to show whether there 
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exist key exchange protocols with super polynomial security that use only a random oracle.^ The seminal 
paper of Impagliazzo and Rudich [ir] answered this question negatively by showing that every key exchange 
protocol using n queries in the random oracle model can be broken by an adversary asking 0{n^ log n) queries.^ 
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and CCF-0426582, US-Israel BSF grant 2004288 and Packard and Sloan fellowships. 
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^Recently, Biham, Goren and Ishai [BGI] gave a security analysis for Merkle's protocol under some concrete complexity 
assumptions, namely existence of exponentially hard one-way functions. 

^This is not to be confused with some more recent works such as [BR], that combine the random oracle model with assumptions 
on the intractability of other problems such factoring or the RSA problem. 

More accurately, [IR] gave an 0(m*^ logm) -query attack where m is the maximum of the number of queries n and the number 
of communication rounds, though we believe their analysis could be improved to an 0{n^ log n)-query attack. For the sake 
of simplicity, when discussing [lR]'s results we will assume that m = ?i, though for our result we do not need to make this 
assumption. 
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Merkle's Key Exchange Protocol 

Let n be the security parameter. All parties have access to oracle to a function H : {0, 1}^ — > 
{0, 1}^ chosen at random, where I ^ logn. The protocol operates as follows: 

1. Alice chooses 10?i random numbers xi,...,rE„ in [n^] and sends a\,...,an to Bob 
where a, = H{xi) (embed [n^] in {0, 1}^ in some canonical way). 

2. Bob chooses 10?i random numbers yi, ...,?/„ in [n^] and sends 6i, . . . , 6^ to Alice where 
f)j = H{xj). 

3. With at least 0.9 probability, there will be at least one "collision" between Alice's 
and Bob's messages: a pair i,j such that aj = bj. Alice and Bob choose the lexico- 
graphically first such pair, and Alice sets Sa — 3S her secret, and Bob sets Sb = yj 
as his secret. If no collision occurred they will not choose any secret. Note that as- 
suming 2^ ^ n"^, H will be one to one on [n^] with very high probability and hence 
H{xi) = H{yj) implies Xi = yj. 

To analyze the protocol one shows that the collision is distributed uniformly in [n^] and 
deduces that an adversary Eve that makes o(n^) queries to the oracle will find the secret 
with o(l) probability. 



Figure 1: Merkle's key exchange protocol. (Merkle described his protocol using "puzzles" that can be implemented via 
some ideal cryptographic primitive; we describe the protocol in the case that the puzzles are implemented by a random oracle.) 

Since a random oracle is in particular a one-way function (with high probability), this implied that there is no 
construction of a key exchange protocol based on a one-way function with a proof of super-polynomial security 
that is of the standard black-box type (i.e., a proof that transforms an adversary breaking the protocol into 
an inversion algorithm for the one-way function that only uses the adversary and the function as black boxes). 
Indeed, that was the motivation behind their result. 

Still, Impagliazzo and Rudich left as an open question [iR, Section 8] whether there exist protocols in the 
random oracle model with uj{'n?) security or in fact Merkle's protocol is optimal. One motivation for this 
question is practical — protocols with sufficiently large polynomial gap could be secure enough in practice 
(e.g., a key exchange protocol taking 10^ operations to run and (10^)^ = 10^^ operations to break could be 
good enough for many applications), and in fact as technology improves, such polynomial gaps only become 
more useful. Another motivation is theoretical — since Merkle's protocol has very limited interaction (it 
consists of one round in which both parties simultaneously broadcast a message) it's natural to ask whether 
more interaction can help achieve some polynomial advantage over this simple protocol. 

In this work we answer the above question, by showing that every protocol in the random oracle model 
where Alice and Bob make n oracle queries can be broken with high probability by an adversary making 
O(n^) queries. That is, we prove the following: 

Theorem 1.1. Let 11 6e a two-party protocol in the random oracle model such that when executing H the two 
parties Alice and Bob make a total of at most n queries, and their outputs are identical with probability at 

2 

least p. Then, there is an adversary Eve making 0{jx) queries to the oracle whose output agrees with Bob's 
output with probability at least p — 6. 

As is the case in [ir], our result can be shown to rule out the existence of black-box constructions of a 
key exchange protocol with super-quadratic security from a one-way function, though we omit the details.^ 

*To formalize the above statement, one needs to quantify what it means for a black-box reduction of a primitive X to a 
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To the best of our knowledge, no better bound than [ir] was previously known even in this case, where one 
does not assume the one-way function is a random oracle (hence making the task of proving a negative result 
easier). We note that similarly to previous black-box separation results, our adversary can be implemented 
efficiently in a relativized world where P = NP, meaning that we also rule out the somewhat larger family 
of relativizing reductions as well. 

Correction of error: A previous version of this manuscript [bmg] claimed a different proof of the same 
result. However, we have found a bug in that proof — see Appendix A. In fact the current proof is quite 
different from the one claimed in [bmg]. In [bmg] we also claimed an extension of Theorem 1.1 to the case 
of protocols with an oracle to a random permutation (i.e., a random one-to-one function R from {0, 1}* to 
{0, 1}* such that |-R(a;)| = \x\ for every x € {0, 1}*). We do not know of an extension of the current proof to 
this model, beyond the observation of [ir] that any m-query attack in the random oracle model translates into 
an 0(m^)-query attack in the random permutation model. Hence our results imply an 0(n^)-query attack 
in the latter model, improving on the previous 0(n^^) attack of [ir]. 

We also note that shortly after we posted the manuscript [bmg], Sotakova [sot] posted an independently 
obtained weaker result, showing that protocols with only one round of interaction (each party sends one 
message) and non-adaptive queries can achieve at most O(n^) security. In contrast, as in the work of [ir], in 
this paper we allow protocols where the parties' choice of queries is adaptive and they can use an arbitrary 
polynomial number of interaction rounds.^ The one-round case seems to be simpler, and in particular the 
bug found in our previous proof does not apply to that case. 

2 Our techniques 

It is instructive to compare our techniques with the techniques of the previous work by Impagliazzo and 
Rudich [ir]. In order to do this, we review [ir]'s attack and outline of analysis, and particularly the subtle 
issue of dependence between Alice and Bob that arises in both works. The main novelty of our work is the 
way we deal with this issue, which is different than the approach of [ir]. We believe that this review of [ir]'s 
analysis and the way it compares to ours can serve as a useful introduction to our actual analysis. However, 
no result of this section is used in the later sections, and so the reader should feel free at any time to skip 
ahead to Sections 3 and 4 that contain our actual attack and its analysis. 

Consider a protocol that consists of n rounds of interaction, where each party makes exactly one oracle 
query before sending its message, [ir] called protocols of this type "normal-form protocols" and gave an 
O(n^) attack against them (their final result was obtained by transforming every protocol into a normal- form 
protocol with a quadratic loss of efficiency). Although without loss of generality the attacker Eve of a key 
exchange protocol can defer all of her computation till after the interaction between Alice and Bob is finished, 
it is conceptually simpler in both [ir]'s case and ours to think of the attacker Eve as running concurrently 
with Alice and Bob. In particular, the attacker Eve of [ir] performed the following operations after each 
round i of the protocol: 

• If the round i is one in which Bob sent a message, then at this point Eve samples lOOOn log n random 
executions of Bob from the distributions of Bob's executions that are consistent with the information 
that Eve has at that moment (communication transcript and previous oracle answers). That is, Eve 
samples a uniformly random tape for Bob and uniformly random query answers subject to being con- 
sistent with Eve's information. After each time that she samples an execution. Eve asks the oracle all 

primitive Y to show T security. Since there is no meaningful notion of running time for black-box reduction, we believe the 
correct formalization is that the reduction works for every adversary that makes at most T queries to the primitive Y. Under this 
formalization, the above statement follows immediately from our results combined with the well-known fact that a random-oracle 
is a one-way function. 

^In fact, because we count only the number of oracle queries made by the honest parties, we can even allow a super-polynomial 
number of rounds. 
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the queries asked during this execution and records the answers. (Generally, the true answers will not 
be the same answers as the one Eve guessed when sampling the execution.) 

• Similarly, if the round i is one in which Alice sent a message then Eve samples lOOOn log n executions 
of Alice and makes the corresponding queries. 

Overall Eve will sample O(n^) executions making a total of O(n^) queries. It's not hard to see that as 
long as Eve learns all of the intersection queries (queries asked by both Alice and Bob during the execution) 
then she can recover the shared secret with high probability (see also Theorem 5.1 below). Thus the bulk 
of [ir]'s analysis was devoted to showing the following statement, denoted below by (*): With probability at 
least 0.9 Eve never fails, where we say that Eve fails at round i if the query made in this round by, say, Alice 
was asked previously by Bob but not by Eve. 

2.1 The issue of independence 

At first look, it may seem that one could easily prove (*). Indeed, (*) will follow by showing that at 
any round i, the probability that Eve fails in round i for the first time is at most l/(10n). Now all the 
communication between Alice and Bob is observed by Eve, and if no failure has yet happened then Eve 
has also observed all the intersection queries so far. Because the answers for non-intersection queries are 
completely random and independent from one another it seems that Alice has no more information about 
Bob than Eve does, and hence if the probability that Alice's query q was asked before by Bob is more than 
l/(10n) then this query q has probability at least l/(10n) to appear in each one of Eve's sampled executions 
of Bob. Since Eve makes lOOOn log n such samples, the probability that Eve misses q would be bounded by 
(1 - j^)^o°0"i°g'^ < l/(10n). 

When trying to make this intuition into a proof, the assumption that Eve has as much information about 
Bob as Alice does translates to the following statement: conditioned on Eve's information, the distributions 
of Alice's view and Bob's view are independent from one another.^ Indeed, if this statement was true then 
the above paragraph could be easily translated into a proof that [ir]'s attacker is successful, and it wouldn't 
have been hard to optimize this attacker to achieve O(n^) queries. Alas, this statement is false. Intuitively 
the reason is the following: even the fact that Eve has not missed any intersection queries is some non-trivial 
information that Alice and Bob share and creates dependence between them.^ 

Impagliazzo and Rudich [ir] dealt with this issue by a "charging argument" , where they showed that the 
probability of such dependence can be charged in a certain way to one of the executions sampled by Eve, 
in a way that at most n samples can be charged at each round. The exact details are not crucial to the 
current work, though this is to some extent the heart of [ir]'s analysis and the cause of most of the technical 
complications there. 

2.2 Our approach 

We now describe our approach and how it differs from the previous proof of [ir]. The discussion below is 
somewhat high level and vague, and glosses over some important details. Again, the reader is welcome to 
skip ahead at any time to Section 3 that contains the full description of our attack, and does not depend on 
this section in any way. 

Our attacking algorithm follows the same general outline, but has two important differences from the 
attacker of [ir]: 

^Readers familiar with the setting of communication complexity may note that this is analogous to the well known fact that 
conditioning on any transcript of a 2-party communication protocol results in a product distribution (i.e., combinatorial rectangle) 
over the inputs. However, things are different in the presence of a random oracle. 

^As a simple example consider a protocol where in the first round Alice chooses x to be either the string 0" or 1" at random, 
queries the oracle H at x and sends y = H{x) to Bob. Now Bob makes the query 1" and gets y' — H{1^). Now even if Alice 
chose x — 0" and hence Alice and Bob have no intersection queries, Bob can find out the value of x just by observing that y' ^ y. 
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1. One quantitative difference is that while our attacker Eve also computes a distribution D of possible 
executions of Alice and Bob conditioned on her knowledge, she does not sample from D full executions 
and then ask the arising queries. Rather, she computes whether there is any heavy query — a string 
q G {0, 1}* that has probability more than, say, l/(100n) of being queried in V — and makes only such 
heavy queries. Intuitively, since Alice and Bob make at most 2n queries, the total number of heavy 
queries (and hence the query complexity of Eve) is bounded by O(n^). The actual analysis is more 
involved since the distribution V keeps changing as Eve learns more information through the messages 
she observes and query answers she receives. We omit the details in this high-level overview. 

2. The qualitative difference between the two attackers is that we do not consider the same distribution D 
that was considered by [ir] . Their attacker to some extent "pretended" that the conditional distributions 
of Alice and Bob are independent from one another, and hence when trying to guess Bob's queries, 
only sampled consistent executions of Bob. In contrast, we define our distribution D to be the real 
distribution of Alice and Bob, where there could be dependencies between them. Thus to sample from 
our distribution D one would need to sample a pair of executions of Alice and Bob (random tapes and 
oracle answers) that are jointly consistent. Another (less important) point is that the distribution D 
computed by Eve at each point in time will be conditioned not only on Eve's knowledge so far, but also 
on the event that she has not failed until this point. 

The main challenge in the analysis is to prove that the attack is successful, that is that the statement (*) 
above holds, and in particular that the probability of failure at each round (or more generally, at each query 
of Alice or Bob) is bounded by, say, l/(10n). Once more, things would have been easy if we knew that the 
distribution V of the possible executions of Alice and Bob conditioned on Eve's knowledge (and not having 
failed so far) is a product distribution, and hence Alice has no more information on Bob than Eve has. While 
this is not generally true, we show that in our attack this distribution is close to being a product distribution, 
in a precise sense we define below. 

At any point in the execution, fix Eve's current information about the system and define a bipartite graph 
G whose left-side vertices correspond to possible executions of Alice that are consistent with Eve's information 
and right-side vertices correspond to possible executions of Bob consistent with Eve's information. We put 
an edge between two executions A and B if they are consistent with one another and moreover if they do 
not represent an execution in which Eve failed prior to this point (i.e., there is no intersection query that 
is asked in both executions A and B but not by Eve). The distribution V that our attacker Eve considers 
can be thought of as choosing a random edge in the graph G. (Note that the graph G and the distribution 
D change at each point that Eve learns some new information about the system.) If G was the complete 
bipartite clique then V would be a product distribution. What we show is that G is dense in the sense that 
each vertex is connected to at least half the vertices on the other side. We show that this implies that Alice's 
probability of hitting a query that Bob asked before is at most twice the probability that Eve does so if she 
chooses the most likely query based on her knowledge. 

The bound on the degree is obtained by showing that G can be represented as a disjointness graph, where 
each vertex u is associated with a set S{u) (from an arbitrarily large universe) and there is an edge between a 
left-side vertex u and a right-side vertex v if and only if S{u) R S{v) = 0.® We show that this particular graph 
has the property that |5'(u)| < n for all vertices u, and also the property that the distribution S{u) U 5(f ) for 
a random edge {u, v} is light in the sense that there is no element q in the universe that has probability more 
than l/(10n) of being contained in a set chosen from this distribution. We then show that these properties 
together imply that each vertex is connected to at least half of the vertices on the other side. 

Comparison with [iR,]. One can also phrase the analysis of [ir] in terms of a similar bipartite graph. 
Their argument involved fixing, say, Alice's execution which corresponds to fixing a left-side vertex u, they 

*The set 5(11) will correspond to the queries that are made in the execution corresponding to u but not made by Eve. 
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then showed that if the degree of u is high (e.g., u is connected to at least half of the right side) then their 
attacker is likely not to fail at this point. On the other hand, they showed that if the degree of u is low, then 
by taking a random vertex v on the right side and making all queries in the corresponding execution to 
one is likely to make progress in the sense that we learn a new query made in the execution corresponding 
to u. Now there are at most n new queries to learn, and hence if we sample lOOOnlogn executions, then in 
most of them we're in the high degree case. This potential/charging argument inherently requires sampling 
all queries of the execution, rather than only the heavy ones, hence incurring a cost of at least queries per 
round or queries total. It also seems hard to generalize this argument to protocols that are not in normal 
form, which is the reason their attacker for general protocols required (l{n^) queries. 

3 Our attacker 

A key exchange protocol 11 involves Alice and Bob tossing coins and and then run a protocol having 
access to a random oracle that is a random function from {0, 1}^ to {0, 1}^ for some ^ G N. We assume 
that the protocol proceeds in some finite number of rounds, and no party asks the same query twice. In 
round k, \i k is odd then Alice makes some number of queries and sends a message to Bob (and then Eve 
asks some oracle queries), and if k is even then Bob makes some queries and sends a message to Alice (and 
then Eve asks some oracle queries). At the end of the protocol Alice obtains an output string Sa and Bob 
obtains an output string We assume that there is some constant p > such that Pr[sa = s^] > /?, where 
the probability is over the coin tosses of Alice and Bob and the randomness of the oracle. We will establish 
Theorem 1.1 by proving that an attacker can make O(n^) queries to learn with probability arbitrarily close 
to p. 

In this section we describe an attack for Eve trying to find a set of size 0{in?) which contains all the 
queries asked by Alice and Bob in the random oracle model. This attack is analyzed in Section 4 to show 
that it is successful in finding all intersection queries and is efficient (i.e., will not ask more than 0{v?) many 
queries). Then this attack is used in Section 5 in order to find the actual secret. 

3.1 Attacking algorithm 

We start by showing that an attacker can find all the intersection queries (those asked by both Alice and 
Bob) with high probability. It turns out that this is the main step in showing that an attacker can find the 
secret with high probability (see Theorem 5.1 below). 

Theorem 3.1. Let 11 6e a key exchange protocol in the random oracle model in which Alice and Boh ask at 
most n oracle queries each. Then for every 6 > there is an adversary Eve who has access to the messages 
sent between Alice and Bob and asks at most number of queries such that Eve's queries contain all the 

intersection queries of Alice and Bob with probability at least 1 — 5. 

To prove Theorem 3.1 we need to show an attacking algorithm Eve that learns the intersection queries 
between Alice and Bob using at most O(n^) queries. Letting e = 5/100, our attack can be described in one 
sentence as follows: 

As long as there exists a string q such that conditioned on Eve's current knowledge and assuming 
that no intersection query was missed so far, the probability that q was asked in the past (by either 
Alice or Bob) is at least e/n, Eve makes the query q to the oracle. 

To describe the attack more formally, we need to introduce some notation. We fix n to be the number of 
oracle queries asked by Alice and Bob and assume without loss of generality that all the queries are of length 
i = i{n) for some ^ G N. We will make the simplifying assumption that the protocol is in normal form — 
that is, at every round of the protocol Alice or Bob make exactly one query to the oracle (and hence there 
are 2n rounds). Later in Section 4.3 we will show how our analysis extends to protocols that are not of this 
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form. Below and throughout the paper, we often identify a distribution V with a random variable distributed 
according to V. 

Executions and the distribution £X£C. An execution of Alice, Bob, and Eve can be described by a 
tuple {ra,ha,rb,hb,I) where Va denotes Alice's random tape, ha denotes the sequence of answers that Alice 
gets in response to her oracle queries during the execution, and hb are defined analogously, and I denotes 
the set of all query/answer pairs that Eve learns during the execution. We say that a tuple {va, ha,rb, hb,I) 
is consistent if it describes an execution of Alice, Bob and Eve in which whenever two parties make the same 
query to the oracle they get the same answer. A partial execution is an execution truncated at a certain point 
in time (that is, the transcripts contain only the oracle answers for queries that are asked up to that point). 
We denote by £X£C the distribution over (full) executions that is obtained by running the algorithms for 
Alice, Bob and Eve with uniformly chosen random tapes and a random oracle. 

The distribution £X£C{M,T). For M = [mi, . . . ,mj] asequenceof i messages, andXaset of query/answer 
pairs, we denote by £X£C{M,T) the distribution over partial executions up to the point in the system in 
which the i^^ message is sent (by Alice or bob), where the transcript of messages equals M and the set of 
query/answers that Eve learns equals I. Note that we can verify that I is consistent with M by simulating 
Eve's algorithm on the transcript M, checking that whenever Eve makes a query, this query is in T, in which 
case we feed Eve with the corresponding answer (and verifying at the end that there are no "extra" queries in 
Z not asked by Eve). Thus for every {M,I) that can be obtained from running the protocol, the distribution 
£X£C{M,I) is equal to the distribution obtained by sampling (r^, ha, Vb, hb) at random conditioned on being 
consistent with one another and (M, T). 

The event Good(M, 2) and the distribution Q£X£C{M, Z). The event Good(M, X) is defined as the event 
over £X£C{M,Z) that all the intersection queries asked by Alice and Bob during the partial execution are in 
X. More formally let Q{A) (resp. Q{B)) be the set of queries asked by Alice (resp. Bob) which are specified 
by the view of Alice (resp. Bob) consisting of her private randomness, oracle answers, and the messages 
received till the moment specified by (M,X). Therefore Good(Af,X) is the same as Q{A) n Q{B) C Q{Z) 
where Q{Z) is the set of queries of X (note that X is a set of query/answser pairs). We define the distribution 
g£X£C{M,Z) to be the distribution £X£C{M,Z) conditioned on Good(M,X). 

Eve's algorithm. The attacker Eve's algorithm is specified as follows. It is parameterized by some constant 
e > which we assume is smaller than 1/10. At any point in the execution, if M is the sequence of messages 
Eve observed so far and X is the query/answer pairs she learned so far. Eve computes for every q G {0, 1}^ 
the probability pq that q appears as a query in a random execution in Q£X£C{M,Z). If pq > e/n then Eve 
asks q from the oracle and adds q and its answer to X. (If there is more than one such q then Eve asks the 
lexicographically first one.) Eve continues in this way until there is no additional query she can ask, at which 
point she waits until she gets new information (i.e., observes a new message sent between Alice and Bob). 

Note that Eve's algorithm above may ask much more than queries. However, we will show that the 
probability that Eve asks more than n^/e^ queries is bounded by 0(e), and hence we can stop Eve after 
asking this many queries without changing significantly her success probability. 

Remark 3.2. The attacking algorithm above is not computationally efficient, as in general computing the 
probability distribution Q£X£C{M,Z) could be a hard problem since it involves "inverting" the algorithms 
of Alice and Bob to a certain extent. But because computing these probabilities in t^P, we can use known 
techniques (e.g., [bgp]) to approximate them with arbitrarily good precision using an NP-oracle. In particular 
this means that our attacker (as was the case in previous works) is computationally efficient in a relativized 
world in which P = NP, and hence this result also rules out relativizing reductions from one-way functions 
to key exchange that achieve u;(n^) security. 
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4 Analysis of attack: proof of Theorem 3.1 



For i G [2n], define the event Failj to be the event that the query made at the i*^ round is an intersection 
query but is not contained in the set I of query/answer pairs known by Eve, and moreover that this is 
the first query satisfying this condition. Let the event Fail = \/-Fa\\i be the event that at some point an 
intersection query is missed by Eve, and let the event Long be that Eve makes more than r? je^ queries. By 
setting e = 5/100 and stopping Eve after v? je^ queries. Theorem 3.1 immediately follows from the following 
two lemmas: 

Lemma 4.1 (Attack is successful). For every i, Pr£:;f£:c[Faili] < lOe/n. Therefore by union bound we have 
Pr[Fail] < 20e. 

Lemma 4.2 (Attack is efficient). Pr£^£:c[Long] < 80e. 
4.1 Success of attack: proof of Lemma 4.1. 

We now turn to proving Lemma 4.1. It will follow from the following stronger result: 

Lemma 4.3. Let i be even and let B = {r[,,hh) be some fixing of Bob's view in an execution up to the i^^ 
message asked by him, and let M,I be some fixing of the messages exchanged and query/answer pairs learned 
by Eve in this execution such that Pr^:;^^^;^^/ j)[Good(M, T) | > 0. Then, 

Pr fFaili I B] < We/n . 

That is, the probability that Failj happens is at most lOe/n conditioning on Eve's information equalling M,I, 
Bob's view of the execution equalling B and Good(M, T). 

Proof of Lemma 4-1 from Lemma 4-3. Lemma 4.3 implies that in particular for every even i, Fr^xsci^^^k \ Goodj] < 
lOe/n, where Goodj denotes the event Good(M, Z) where M,I are Eve's information just before the i^^ 
round. But since Failj is the event that Eve fails at round i for the first time, Failj implies Goodj and hence 
Pr^ATfC [Failj] < Pr£:;f£:c [Failj | Goodj], establishing the statement of Lemma 4.1 for every even i. By symmetry, 
the analog of Lemma 4.3 for odd i also holds with the roles of Alice and Bob reversed, completing the proof 
for all i. □ 

Proof outline of Lemma 4.3. Our approach to proving Lemma 4.3 is as follows: 

1. We start by observing that the Lemma would be easy if the distribution Q£X£C{M,Z) would have 
been a product distribution, with the views of Alice and Bob independent from one another. Roughly 
speaking this is because in this case Bob has no more information than Eve on the queries Alice made 
in the past, and hence also from Bob's point of view, no query is more probable than e/n to have been 
asked by Alice. 

2. Unfortunately this is not the case. However, we can show that the distribution Q£X£C{M,I) is equal 
to the distribution obtained by taking some product distribution Ax B and conditioning it on the event 
Good(Af,X). (A similar observation was made by [ir], see Lemma 6.5 there.) 

3. This product characterization implies that we can think of Q£X£C as a distribution over random edges 
of some bipartite graph G. Using some insights on the way this graph is defined, and the definition of 
our attacking algorithm, we will show that every vertex in G is connected to at least half of the vertices 
on the other side. We then show that this implies that Bob's chance of asking a query outside of I that 
was asked before by Alice is bounded by 0{e/n). 
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4.1.1 Product characterization of Q£X£C{M,2) 

If M, I denote Eve's information just before the i^^ round, then we know that conditioned on M, X, no query 
has more than e/n of being asked before by Ahce, where this probabihty is taken over G£X£C{M,2). Hence 
if we could just show that from Bob's point of view Ahce's distribution is distributed the same as she is 
from Eve's, we'd be done. Unfortunately, this is not true - there may be dependencies between Alice and 
Bob that are not captured by M,X, even if Good(M,T) holds. Fortunately, we have a weaker statement 
- Q£X£C{M,T) is equal to a product distribution conditioned on the event Good(M, T): (Note that the 
fact that Q£X£C{M,T) is equal to a product distribution conditioned on some event is meaningless — every 
distribution has this property. Rather we use the fact that this condition is the particular event Good(M,T).) 

Lemma 4.4 (Product characterization). For every M,T denoting Eve's information up to just before the 
j^th qy^Qj-y^ i/ Pr^;^'£-C(A/,j)[Good(M, Z)] > there exist a distribution A (resp. B) over Alice's (resp. Bob's) 
computation up to that point such that 

g£X£C{M,I) = {A^B)\Gqq6{M,I) (1) 

Proof. We will show that for every pair of Alice/Bob executions {A,B) that satisfy the event Good(M, Z), 
^^Q£X£C{M,i)[i^j B)] = coACtB where a a depends only on ^, as depends only on B and c is a constant 
depending only on M,2. This means that if we let A be the distribution such that Pr_4[^] is proportional 
to aA, and B be the distribution such that Pr0[i?] is proportional to as, then g£X£C{M,I) is proportional 
(and hence equal to) the distribution Ax B \ Good(M,T). (Note that if {A,B) do not satisfy Good(Af,T) 
then Pvg£;^gciM,x)[{AB)] = 0.) 
By definition, 

r.^ ^ Ft£X£c[{A,B,M,I) happen] 
gsxsciAi,!)^^ ' Pr£:A'£-c[(M,2:) happen AGood(M,2:)] 

The denominator of the righthand side is only dependent on M and 2. The numerator is equal to 

The reason is that the necessary and sufficient condition for getting (A, B, M,2) in the system is that when 
we choose (r^, r^,, H) to run the whole system we shall choose these specific random seeds r^, and we shall 
choose the answers specified in (A, B,2) to the queries in Q{A) U Q{B) U Q(2). The messages in M then will 
be generated by Alice and Bob correctly. Let qa = 2-l^-l2-^IO(^)\0(^)l and (3b = 2-l''f l2-^l'3(^)\0(^)l . Since 
{Q{A)\Q{2))n{Q{B)\Q{2)) = 0, the numerator is equal to 2-l'-«l2-l'^f l2-^IQ(^)uQ(S)uQ{^)l = aA/?B2-^l«(^)l. 
Therefore Pr[(A, B) = g£X£C{M,2)] = c{M,2)aA/3B where c{M,2) only depends on {M,2). □ 

4.1.2 Graph characterization of g£X£C{M,2) 

Fixing M, 2 that contain Eve's view up to just before the i^^ round, define a bipartite graph G = {Vl, Vr, E) as 
follows. Every node u €Vl will have a corresponding view A^ of Alice that is in the support of the distribution 
A obtained from Lemma 4.4; we let the number of nodes corresponding to a view A be proportional to Pr_4[^], 
meaning that A corresponds to the uniform distribution over the left-side vertices Vl. Similarly, every node 
V G Vr will have a corresponding view of Bob B^ such that B corresponds to the uniform distribution over 
Vr. We define Qu = Q{Au) \ Q{2) for u € Vl to be the set of queries outside of 2 that were asked by Alice 
in the view Au, and define Qy = Q{Bu) \ Q(2) similarly. We put an edge in the graph between u and v 
(denoted by u ~ f) if and only if Qu n = 0. Lemma 4.4 implies that the distribution Q£X£C{M,2) is 
equal to the distribution obtained by letting (u, v) be a random edge of the graph G and choosing {A^, B^). 

^ Note that the righthand side of (1) is a distribution over pairs of Ahce's and Bob's view, while formally Q£X£C{M,T) is 
a distribution over full executions that also contain Eve's view. However, since Eve's view in Q£X£C{M,I) is always fixed to 
{M,J), we can consider Q£X£C{M,J) to be a distribution only over Alice's and Bob's views. 



9 



Note that because we assumed Pr£-_;ffc(Af,J)[Good(M, T)] > this graph is nonempty. It turns out that this 
graph is dense: 

Lemma 4.5. Let G = (Vl, Vr, E) he the graph above. Then for every u € Vl, d{u) > |Vr|(1 — 2e) and for 
every v G Vr, d{v) > |Vz;,|(l — 2e) where d{w) is the degree of the vertex w. 

Proof. We first show that for every w G Vl, '^vi^VRwr/^v'^i'^) — ^\^\- The reason is that the probabil- 
ity of vertex v being chosen when we choose a random edge is and if ^^^^ ^j^- > e, it means that 
P''^{u,v)^-[ie{Qw n 7^ 0] > e. Hence because \Qw\ < n, by the pigeonhole principle there exists a G such 
that 'Pj^(u,v)^jie[0' £ Qv] ^ ^/n. But this is a contradiction, because then a should be in 2 by the definition of 
the attack and cannot be in Q^;. The same argument shows that for every w G Vr, X^^g^i w/^w'^i'^) — ^1^1 • 
So we proved that for any vertex w we have \E'^{w) = {{u,v) G E \ u '/^ w A w ^/^ v}\ < e\E\, and d{w) > 
for every u; G Vl U Vr. Now the following claim proves the lemma. 

Claim 4.6. Let G = {Vl, Vr, E) he a nonempty bipartite graph such that for every vertex w, \E'^{w)\ < e\E\ 
for e < 1/2, then for all u G Vl, d{u) > \Vb,\{1 - 2e) and for every v G Vr, d{v) > \Vl\{1 - 2e). 

Proof. Let dL = min{d(n) | u G Vl} and dR = mm{d{v) \ v G Vr}. Note we have d/, > and dR > 0. By 
switching the left and right sides if necessary, we may assume without loss of generality that (*): < 

Thus it suffices to prove that 1 — 2e < yp^. Suppose 1 — 2e > and let u G Vl be the vertex that 

d{u) = dL < {I- 2e)jV/j|. Because for all G Vr we have d{v) < \Vl\, therefore \E^{u)\ < c/lIVlI < dR\VR\ 
(using (*)) where E^{u) = E \ E'^{u). On the other hand since we assumed \{v G Vr \ u '/^ v}\ > 2e|Vij|, we 
have \E'^{u)\ > 2e\VR\dR. So \E^{u)\ < |^'^(M)|/(2e), and therefore 

\E^{u)\ < e [\E^{u)\ + \E-{u)\) < e\E^{u)\ + \E^{u)\/2, 

which is a contradiction for e < 1/2. □ 

□ 



4.1.3 Proving Lemma 4.3 

Now we can prove Lemma 4.3. Let B, M,I be as in Lemma 4.3 and q be Bob's query which is fixed now. By 
Lemma 4.4, the distribution Q£X£C{M, L) conditioned on getting B as Bob's view is the same as {A x B) 
conditioned on Good(M, Z) A{B = B). By the definition of the bipartite graph G = {Vl, Vr, E) it is the same 
as choosing a random edge (n, v) E conditioned on By = B and choosing {Au,By). We prove Lemma 4.3 
even conditioned on fixing v such that B^ = B. Now the distribution on Alice's view is the same as choosing 
u <— R N{v) to be a random neighbor of v and choosing A^. Let 5 = {u G V^ | g G A^}. Then we have: 

Pr be A] - - < - ^-^sd{u) ^ e lOe 

u^^N{v)^^ t „j _ ^^^^ _ _ 2^^!^^ I _ _ _ _ 2e)2\E\ - (1 - 2e)2n n 

The second and fourth inequalities are because of Lemma 4.5. The third one is because \E\ < |Vl||Vr|. 
The fifth one is because of the definition of the attack which asks e/n heavy queries, and the sixth one is 
because e < 1/3. □ 



4.2 Efficiency of attack: proof of Lemma 4.2 

We call an event E defined over partial executions of £X£C lasting if whenever E holds for a partial execution, 
it holds for all extensions of it (i.e., partial executions that we get by continuing the experiment). For 
example the events Fail and Long are both lasting. For a lasting event E, let £X£C{E), be the same 
experiment as £X£C with the difference that we stop the execution as soon as E happens. Note that we have 
P^£xec[E y D] = P^£X£c(E)i^ ^ ^] lasting event D. 
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Proof outline of Lemma 4.2. The proof proceeds by the following two steps: 



If at any point during a partial execution of £X£C, we get Pr£-_:f^c(A/,J)[~'Good(M, Z)] > 1/2, where 
(M,T) are the current sequence of messages and Eve's set of query/answer pairs, we say that the event 
Bad holds for this partial execution and all extensions of this execution. Note that the event Bad is 
a lasting event. We will first use the success property of the attack Pr£;\:'£:c[Fail] < 20e to show that 
Pi'£:A'£:c[Bad] < 40e which means also Pr^;f£-c(Bad) t^^"^] — 



In the experiment £X£C{Bad) whenever Eve asks a query q which is e/n heavy for the distribution 
g£X£C{M,I), it is also 7 = ^ heavy for £X£C{M,I) because Pr£X£C{M,i)[Good{M,I)] > 1/2. We 

will use this fact to show that in £X£C{Bad) on average Eve will not ask more than N = ^ = 
number of queries. Since Long is the event that Eve asks more than ^ = queries, by Markov 
inequality we have ^''^^^xecCBad) — '^^^ therefore we will have 

Pr [Long] < Pr [Long V Bad] = Pi; [Long V Bad] < Pr [Long] + Pr [Bad] < 44e 

£X£C exec execiBs^d) execiBs^d) execissd) 



4.2.1 Step 1: Bounding VTsxec[^3,6] 

Note that -iGood(M, Z) implies that Failj has already happened for some i, and so ^Good(Af, X) implies FaiL 
The following lemma is implied by Lemma 6.4 in [ir], but we give a proof here for sake of completeness. 

Lemma 4.7. Pr£-;t'£c[Bad] < 40e. 

Proof. Let's assume Pr£-;t'£:c[Bad] > 40e, and we will prove Pr£:;\:'£:c[Fail] > 20e which is a contradiction. When 
we run the system and the attack, instead of choosing the whole randomness (for Alice, Bob, and the oracle) 
at the beginning, we can choose some parts of the system first (according to their distribution in the original 
experiment), and then choose the rest of it from their distribution conditioned on the known parts. The lazy 
evaluation of the oracle answers is a special case of this general method. Therefore we can do as follows: 

1. Run the system till an arbitrary point to get (M,T) as Eve's information about the system. We pretend 
that till this point, we have just sampled (M, /), and the rest of the system's description is not chosen 
yet. 

2. Choose the "true" view of Alice and Bob till this point from their distribution £X£C{M,I). 

3. Continue running the system conditioned on the views of Alice, Bob, and Eve so far. 

The moment that we sample Alice and Bob's views in the second step of the mentioned method is 
arbitrary, and we can choose this point to be the moment that Bad happens (if it happens at all). In other 
words we run the game till the moment that Bad happens: Pr£-;^'£;c(A/,j)[~'Good(M, Z)] > 1/2, and then will 
choose Alice and Bob's computation so far, and then continue the game. But if Bad never happens we sample 
Alice and Bob's computation just at the end. 

Since -iGood(M,T) C Fail when Pr£-_:^'£:c(j/x)[-iGood(M, Z)] > 1/2 happens for the first time in our 
execution of the system and we choose Alice and Bob's previous computation. Fail will hold for this running of 
the system with probability at least 1/2. So, if Pr£';\:'£:c[Bad] > 40e, then with probability at least (40e)^ = 20e 
the event Fail holds in the system which is not possible. □ 
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4.2.2 Step 2: Bounding Pi'^;^ £:c(Bid) 

Let 7 = = ^ = be as defined above. The fohowing lemma shows that P%;v;'£c(B5d) ^ 4e 

N_ 

At 



2n An 

~ ■ ue as uenneu auove. 

where Long is the event of asking more than j- = \ number of queries 



Lemma 4.8. The expected number of queries asked by Eve in £X£C{Bad) is at most N = ^ = 

Proof. By definition whenever Eve asks a query, it is e/n heavy in the distribution Q£X£C{M,I), and since 
we always have Pt£;y£C{m,i)[^'^'^^{M^^)] > ^ £X£C{Bad) (whenever Eve is asking a query) therefore we 
have: 

Pr [q G Q(A) U QiB)] > Pr [Good(M, J)] Pr [q € Q(^) U Q(S)] > 7^ = 7 

Define the random variable Yj to be 1 if the j^^ query Eve makes was asked before by Alice or Bob. 
Clearly Yj < 2n since Alice and Bob each make at most n queries, and hence 

Y^E{Y,]=nY.Y,]<2n . (2) 
j 3 

Claim: Let pj be the probability that Eve asks the j^^ query. Then lE[y;] > Pj7. 

Note that ^jPj is the expected number of queries asked by Eve, and the claim implies that ^jPj < 
7 — ^1 hence proving the lemma. 

Proof of Claim: Define Y^ to be 1 if the j*^ query that Eve asks is q and q was asked before by Alice 
or Bob. Then, E[Yj] = ^^g^lY^]. Let Oj be a random variable that whenever there is a j^^ query asked 
by Eve, it denotes the information (i.e., transcript and query/answer pairs) that Eve has up to the point 
when it makes its j*^ query. In an execution where Eve makes less than j queries, we define Oj = _L. Note 
that the j^^ query of Eve is determined by Oj which we denote by q{Oj) (and we define g(-L) = X). Let 
= SUPP{Oj) \ {±}, and so we wih have: 

E[y/] = ^ Vipj = L] Pr[g asked before by Ahce or Bob | Oj = L] . 

q{L)=g 

But by definition, if q{L) = q we have Pr[q is asked before by Alice or Bob | Oj = L] > X. Meaning that 
Wj] > tE Lew, Pr[Oj = L], and hence 

g=g(L) 

^[Yj] > 7 ^ ^ PilC'j = L] = 7 ^ Pr[Eve queries some q as its query | Oj = L] Fr[Oj = L] = 'jpj . 



q=q{L) 



□ 



4.3 Removing the normal form assumption 

In this section we show how to get an attack of the same 0(n^/(5^) complexity finding all the intersection 
queries of Alice and Bob for a more general form of protocols. The proof has the following two steps: 

1. We extend the result with the same complexity of 0(n^/5^) queries for the attack to the "seminormal" 
protocols by a bit more careful analysis of the same attack given above. A seminormal protocol is a 
protocol in which Alice and Bob can ask either zero or one query in each of their rounds. Again Alice 
and Bob ask at most n queries each, but the number of rounds R can be arbitrary larger than n. 
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2. Any protocol can be changed into a seminormal protocol without increasing n or loosing the security. 
Suppose i is a round in the original protocol in which Bob is going to ask k < n number of queries {k 
is not known to Eve or Alice) and then send the message mj to Alice. In the new protocol, this round 
will be divided into 2n — 1 sub-rounds. In the j^^ sub-round (of this round) if j is even, Alice will just 
send the message _L to Bob. So let j is an odd number. If j < k, Bob will ask his j^^ query which he 
was going to ask in the i^^ round of the original protocol, and if j > k he asks no query. If j < 2n — 1, 
Bob sends also the message _L to Alice in the sub-round j, and if j = 2n — 1 he sends his message mj 
to Alice. It is clear that this artificial change only increases the number of rounds and will not give 
Eve any extra information, and therefore it is as secure as the original protocol. In the actual attack. 
Eve will pretend that Alice and Bob are sending the extra _L messages to each other in the sub-rounds 
and will attack the protocol in the seminormal form, and as we will prove she finds all the intersection 

2 

queries with probability 1 — 6 using O(^) number of queries. 

Attack for seminormal protocols. Now we assume that Alice and Bob run a seminormal protocol in 
which each of them asks at most n number of oracle queries. We prove that the same attack of Section 3 finds 

2 

all the intersection queries with probability 1 — 6 using number of queries. We only show that the attack 
is successful in finding all the intersection queries and the same argument as before shows that the efficiency 
follows from the success property. Let BFailj be the event that Bob's i^^ query is the first intersection query 
out of T, and similarly let AFailj be the event that Alice's i^^ query is the first intersection query out of 2. 

Lemma 4.9. For every 1 < j < n, we have Pr[BFaili] < lOe/n and Pr[AFailj] < lOe/n. 

Lemma 4.9 shows that Pr[Fail] = Pr[Vi(BFaili V AFail^)] < Ei<i<n P^'t^Failj] -h Pr[AFaili] < 20n/e. But 
Lemma 4.9 simply follows from Lemma 4.3 because Lemma 4.3 shows that Pr[BFailj] < lOe/n holds, even 
conditioned on a specific B describing Bob's view till the moment he is going to ask his i^^ query. Note that 
the proof of Lemma 4.3 only used the fact that Alice and Bob ask at most n queries each and did not depend 
on the number of rounds. 

5 Finding the secret 

Now, we turn to the question of finding the secret. Theorem 6.2 in [ir] shows that once one finds all the 
intersection queries, with O(n^) more queries they can also find 

the actual secret. Here we use the properties of our attack to show that we can do so even without asking 
more queries. 

Theorem 5.1. Assume that the total number of queries asked by Alice and Bob is at most n each, and their 
outputs agree with probability at least p having access to a random oracle. Then there is an adversary Eve 

2 

asking at most O(^) number of queries such that Eve's output agrees with Bob's output with probability at 
least p — 6. 

Proof. Let assume that in the last round of the protocol Alice sends a special message LAST to Bob. In 
order to find the secret Eve runs the attack of Section 3.1 ^'^ and at the end (when Alice has sent LAST and 
Eve has asked her queries from the oracle), Eve samples {A,B) Q8X£.C{M,I) (where {M,Z) is Eve's 
information at the moment) and outputs the secret s{A) determined by Alice's view A. Now we prove that 
her secret agrees with Bob's secret with probability p — 0(e) and the theorem follows by setting 6 = ce for 
sufficiently small constant c. 

Let the random variables A,B,E be in order the view of Alice, Bob, and Eve at the end of the 
game. Let A be the random variable generated by Sampling {A,B) <— ^ Q£X£C{M,2) where M,I are 

Again, we are interested in the case that the event Fail V Long does not happen in the attack, and this is the case with 
probability at least 1 — 0(e). 
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the information specified in E and choosing A from it. (So s{{A)) is Eve's output.) We will prove that 
SD((A,B,E),(A,B,E)) < 0(e). Then it shows that | Pr[s(A) = s(B)] - Pr[s(A) = s(B)]| < 0(e). For 
{A, B, E) G SUPP{A X B X E)) we say the event Good(^, B, E) holds if A and B do not have any intersec- 
tion query out of I where (M, Z) = E. The proof follows from the following three claims: 

1. PrhGood(A,B,E)] < 0(e). 

2. PrhGood(A,B,E)] < e. 

3. SD((A, B, E) I Good(A, B, E), (A, B, E) | Good(A, B, E)) < 2e. 

The first claim follows from Theorem 3.1. The second claim is true because after fixing E = (M, Z), the 
random variable A is independent of B, and if we fix B = S any query of Q{B) has chace of at most e/n of 
being in Q{A.) and there are at most n such queries. 

So we only need to prove the third claim which we do even for fixed B = B and fixed E = = (M, I) . As 
we will see, the claim basically follows from Lemma 4.5. Let G = {Vl, Vr,D) be the graph characterization 
of Q£X£C{M,2). Hence we have: 

• The distribution of A in {A,B,E) \ Good{A, B,E) is the same as choosing v Vr such that B^ = B 
(because all the vertices {v \ B^ = B} have the same set of neighbors) and then choosing a random 
neighbor of it u N{v) and getting Au- 

• The distribution of A in (A, B, E) \ Good(A, 5, E) is the same as choosing v ^Vr such that By = B 
(because all of the vertices {v \ B^ = B} have the same set of neighbors) and then choosing a random 
edge (n, v') <— r D conditioned on ti ~ v and then getting A^. The last step (of choosing u) is the same 
as choosing u G N{v) with probabilities proportional to their degrees. 

We show that the two above distributions have statistical distance at most 2e even for a fixed v such that 
By = B. The first distribution chooses u G N{v) uniformly at random, but the second distribution chooses 
u G N{v) with probabilities proportional to their degrees. But since for every u G Vl, (1 — 2e)|yR| < d{u) < 
\Vr\, (and e < 1/4) one can easily show that the statistical distance is bounded by 2e. □ 

Acknowledgements. We thank Russell Impagliazzo for useful discussions, and also for his warning that 
attempting to prove an O(n^) bound for this problem leads naturally to conjecturing (and even conjecturing 
that you proved) intermediate results that are simply not true. He was much more prescient than we realized 
at the time. 
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A The error in the previous proof 

The original paper [bmg] contained a wrong proof for Theorem 1.1. The idea of that proof was to describe the 
attack for another setting in which Alice and Bob will get independent oracle answers for the same query q if 
they ask it before Eve. The experiment was called I mag and the original experiment (which oracle answers are 
the same for everyone) was called Real. The point is that if we bound the probability of (the first) missing of 
an intersection query in either of I mag or Real it bounds that probability in the other setting as well, because 
before that event the experiments are the same. It was claimed in Lemma 5.5 of [bmg] that conditioned 
on Eve's information till some point, the distribution of Alice and Bob's computations before that point are 
independent, but it was not correct. Below we explain why. 

Let E = {M,Z) be Eve's information and B describes Bob's computation, and we want to sample Alice's 
computation A (in Imag) conditioned on (E,ri,). Lemma 5.4 of [bmg] claimed correctly that the consistency 
of {E, A) is necessary and sufficient for the consistency of {E, A, B) (i.e. SUPP{A \ E) x SUPP{B \ E) = 
SUPP{A X B I E)), but it does not mean that can be chosen uniformly at random, and the correct 
distribution actually depends on B. 

One way to see why there is such dependency is to compute Pr[(A, B, M,Z) happen in Imag experiment] 
where Alice and Bob have no private intersection query: Q{A) n Q{B) C T. Let ra,ri, be the length of the 
(original) randomness of Alice and Bob which does not describe their oracle answers (In [bmg] the parties' 
randomness had the oracle answers as well). Now as opposed to what we had in Lemma 4.4 (of this paper) 
this probability is equal to: Vt\{A,B,M,I) happen in Imag experiment] = 2-l^''l2-l''''l2-^IQ(^)u<3(^)ux|2-^fc 
where k is the number of intersection queries of Alice and Bob (according to {A,B,M,X)) which Eve has 
asked that query later at some point. The reason is that For such queries we have chosen the answer randomly 
at two points (i.e., when Alice asked it and when Bob asked it), and then when Eve asked it for the last 
time there was no coin tossing for getting the answer. It is different from the case for other queries which, 
say, Alice asked it first. Eve asked it second, and Bob asked it at last. In the latter case we only choose 
the random answer for Alice and no randomness is used later. The term 2~^^ makes the probability to be 
dependent on which order Alice and Bob ask their queries in the computation described by {A, B, M,I). The 
positive (misleading) thing about Y't[{A, B , M ,1) happen in Imag experiment] is that when we do not have 
necessarily Q{A)r\Q{B) C 2, a secret intersection query for Alice and Bob contributes 2~^^ to the probability 
which can be divided into two parts 2~^ x 2~^ between Alice and Bob, but as we said for intersection queries 
that Eve also asks the query later the contribution of that query to the probability depends on the order that 
parties ask it. 
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Therefore, when we want to know the distribution of Ahce in I mag conditioned on (M, T), if q is asked 
in Ahce's view A and also we have q ^ Z, then A is less probable in the case Bob has asked q before Eve 
compared to the case that it is asked after Eve. 
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